PoisonGAN: Generative Poisoning Attacks Against Federated Learning in Edge Computing Systems

Zhang, Jiale; Chen, Bing; Cheng, Xiang; Bình, Huỳnh Thị Thanh; Yu, Shui

doi:10.1109/jiot.2020.3023126

Cited by 153 publications

(78 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In label vector manipulation, the attackers can directly modify the labels of the training data into a targeted class, e.g., Label flipping attack [7], where some labels of training data (known as the "target" classes of the attacker) are flipped into another class to reduce the recognition performance of the target classes. Meanwhile, the attackers can also train a generative model for producing poisoning data [48]. On the other hand, the features of training data could be manipulated to achieve the goal of targeted data poisoning attack by input matrix manipulation [5], [9].…”

Section: Poisoning Attacksmentioning

confidence: 99%

LoMar: A Local Defense Against Poisoning Attack on Federated Learning

Zhao

et al. 2022

Preprint

View full text Add to dashboard Cite

Federated learning (FL) provides a high efficient decentralized machine learning framework, where the training data remains distributed at remote clients in a network. Though FL enables a privacy-preserving mobile edge computing framework using IoT devices, recent studies have shown that this approach is susceptible to poisoning attacks from the side of remote clients. To address the poisoning attacks on FL, we provide a two-phase defense algorithm called Local Malicious Factor (LoMar). In phase I, LoMar scores model updates from each remote client by measuring the relative distribution over their neighbors using a kernel density estimation method. In phase II, an optimal threshold is approximated to distinguish malicious and clean updates from a statistical perspective. Comprehensive experiments on four real-world datasets have been conducted, and the experimental results show that our defense strategy can effectively protect the FL system. Specifically, the defense performance on Amazon dataset under a label-flipping attack indicates that, compared with FG+Krum, LoMar increases the target label testing accuracy from 96.0% to 98.8%, and the overall averaged testing accuracy from 90.1% to 97.0%.

show abstract

Section: Poisoning Attacksmentioning

confidence: 99%

LoMar: A Local Defense Against Poisoning Attack on Federated Learning

Zhao

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The authors further investigated adapting Krum and Reject on Negative Impact (RONI) [59] for defending Model Poisoning attacks, but with not enough success. Other approaches [60], [61] leveraged Generative Adversarial Networks (GANs) [62] for generating poisoned data. The created poisoned dataset is then used to train an adversarial model that reduced the attack's assumptions and increased the Model Poisoning attack's feasibility in real-world scenarios.…”

Section: A Targeting Integrity and Availabilitymentioning

confidence: 99%

“…Therefore, GANs may be split and use G autonomously. The authors in [60], [61] used GANs for datasets augmentation, enhancing the performance of Poisoning attacks. Similarly, an adversary might perform Inference attacks by reconstructing data using G [82].…”

Section: B Defending Integrity and Availabilitymentioning

confidence: 99%

On the Security & Privacy in Federated Learning

Abad¹,

Picek²,

Ramírez-Durán³

et al. 2021

Preprint

View full text Add to dashboard Cite

Advances in Machine Learning (ML) and its wide range of applications boosted its popularity. Recent privacy awareness initiatives as the EU General Data Protection Regulation (GDPR) -European Parliament and Council Regulation No 2016/679, subdued ML to privacy and security assessments. Federated Learning (FL) grants a privacy-driven, decentralized training scheme that improves ML models' security. The industry's fast-growing adaptation and security evaluations of FL technology exposed various vulnerabilities. Depending on the FL phase, i.e., training or inference, the adversarial actor capabilities, and the attack type threaten FL's confidentiality, integrity, or availability (CIA). Therefore, the researchers apply the knowledge from distinct domains as countermeasures, like cryptography and statistics.This work assesses the CIA of FL by reviewing the state-of-theart (SoTA) for creating a threat model that embraces the attack's surface, adversarial actors, capabilities, and goals. We propose the first unifying taxonomy for attacks and defenses by applying this model. Additionally, we provide critical insights extracted by applying the suggested novel taxonomies to the SoTA, yielding promising future research directions.

show abstract

“…First, Poisoning attacks seek to insert malevolent examples with erroneous annotation into the training data with the main aim to adjust the distribution of training data, thereby diminishing the discrimination power of the classifying different categories of system behaviors, which subsequently decline the model performance. Such attacks can be possibly initiated against deep learning models that require enthusiastically modernize their training data and learning parameters to cope with features of new attacks [62]. Second, the evasion attack in the basis of generating adversarial observations by adapting the attack structures to be somewhat dissimilar from the malevolent observations employed to train deep learning model; therefore, the possibility of detecting the attack get reduced, and even the attack evades the discovery, thereby dipping the performance of the system curiously [63].…”

Section: Interdependent Interrelated and Collaborative Ecosystemsmentioning

confidence: 99%

“…Later, this mined information is employed to carry out reversal engineering to acquire the confidential data of customers. Such an attack contravenes the customers' privacy by investigating their data, which are confidential under some instances (e.g., patients' medical data), injected in the deep learning training stage [62,65]. Therefore, the security of deep learning models that hold possible applications to protect IoT devices has to be realistically and satisfactorily protected against adversarial leakage of their gradient information.…”

Section: Interdependent Interrelated and Collaborative Ecosystemsmentioning

confidence: 99%